FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?

Brian A. Seklecki lavalamp at spiritual-machines.org
Sat Sep 29 17:17:17 PDT 2007 

There should be an nss_ldap.conf and pam_ldap.conf in /usr/local/etc . 
You need to set a variety of settings there.  What do they look like?

Remember: pkg_info -L pam_ldap nss_ldap!

Also, not sure about the TCP FIN_2 issue -- probably just the usual shakes 
and bangs with -current.  ~BAS


On Fri, 28 Sep 2007, O. Hartmann wrote:

> Thank you for responding.
> So, I'll feel free reporting my bad luck. This is a reference page I 
> consulted for some hints, but without success:
>
> http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
>
> First, OS ist the most recent FreeBSD 7.0.
> OpenLDAP is openldap-server-2.3.38, standard config, no SASL support or 
> anything else apart from default
> PAM_LDAP
> NSS_LDAP
>
> I renamed cached.conf to nscd.conf as suggested (for your information).
> In /etc/nsswitch.conf I changed
> #
> # nsswitch.conf(5) - name service switch configuration file
> # $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $
> #
> group: files ldap
> group_compat: nis
> hosts: files dns
> networks: files
> passwd: files ldap
> passwd_compat: nis
> shells: files
> services: compat
> services_compat: nis
> protocols: files
> rpc: files
>
> I also changed /etc/pam.d/sshd to this:
>
> #
> # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
> #
> # PAM configuration for the "sshd" service
> #
>
> # auth
> auth            sufficient      pam_opie.so             no_warn 
> no_fake_prompts
> auth            requisite       pam_opieaccess.so       no_warn allow_local
> #auth           sufficient      pam_krb5.so             no_warn 
> try_first_pass
> auth            sufficient      /usr/local/lib/pam_ldap.so no_warn 
> try_first_pass
> auth            sufficient      pam_ssh.so              no_warn 
> try_first_pass
> auth            required        pam_unix.so             no_warn 
> try_first_pass
>
> # account
> account         required        pam_nologin.so
> #account        required        pam_krb5.so
> account         required        pam_login_access.so
> account         required        pam_unix.so
>
> # session
> #session        optional        pam_ssh.so
> session         required        pam_permit.so
>
> # password
> #password       sufficient      pam_krb5.so             no_warn 
> try_first_pass
> password        required        pam_unix.so             no_warn 
> try_first_pass
>
> Both configuration files for nss_ldap and pam_ldap respective got linked to 
> /usr/localetc/openldap/ldap.conf, which looks like this:
>
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> BASE    dc=foo,dc=org
> #URI    ldapi:///
> URI     ldapi://%2fvar%2frun%2fopenldap%2fldapi/
>
> #SSL     start_tls
>
> #SIZELIMIT      12
> #TIMELIMIT      15
> #DEREF          never
>
> #TLS_CACERT    #TLS_CERT      #TLS_KEY               #TLS_REQCERT    allow
> #TLS_REQCERT    demand
> #TLS_CHECKPEER  yes
>
> My /etc/rc.conf.local file has the following OpenLDAP specific entry:
>
> ###########################################################
> ### OpenLDAP Server                                     ###
> ###########################################################
> slapd_enable="YES"
> #slapd_flags='-d 3 -4 -s 4 -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ 
> ldap:/// ldaps:///"'
> slapd_flags='-4 -s 4 -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ 
> ldap://192.168.2.210 ldaps://192.168.2.210"'
> slapd_sockets="/var/run/openldap/ldapi"
>
>
> My OpenLDAP config file has SSL-certificates disabled.
>
> After the installation of nss_ldap the slapd server takes several decades of 
> seconds to start. But it starts well and after it has initiated itself, I can 
> do on the server a simple 'slapcat' and receive.
>
> But I can't access the LDAP server. Doing an 'id testuser' results in 'id not 
> found'.
>
> On the console, I receive massively errors like this:
>
> TCP: [127.0.0.1]:389 to [127.0.0.1]:63896 tcpflags 0x18<PUSH,ACK>; 
> tcp_do_segment: FIN_WAIT_2: Received data after socket was closed, sending 
> RST and removing tcpcb
>
> Well, I checked sockstat for a listening slapd and I found slapd listening on 
> both loopback, local NIC adn on both ports 389 and 636.
>
> So what is wrong ?
>
> Regards,
> a desperate Oliver
>
>
>
>
> Brian A. Seklecki wrote:
>> FreeBSD 5.x and 6.x work fine with both PAM and NSS -> LDAP w/ TLS
>> (PKI). 
>> All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP,
>> interactive shell, SFTP, etc.) can be tied into LDAP either directly or
>> via PAM.
>> 
>> As for password change, I don't know if anyone has a passwd(1) binary
>> that properly changes the LDAP password attribute -- if there is and its
>> out there, it requires ACL insanity.  Like Oracle, you can either
>> understand OpenLDAP ACLs, or you have real work to do  >:}
>>
>>         Check the nss_pam.conf and nss_ldap.conf configs in local/etc/*
>>         -- set to "debug 1" to get debugging info.  Feel free to share
>>         error messages.
>> 
>> ~BAS
>> 
>> On Fri, 2007-09-28 at 10:54 +0000, O. Hartmann wrote:
>> 
>>> Hello out there,
>>> I have a problem with setting up an FreeBSD box as OpenLDAP server with 
>>> several services, like SAMBA, NFS.
>>> 
>>> The intention is to have a FreeBSD 7.0 fileserver (NFS, SAMBA) also acting 
>>> as OpenLDAP server. So far. OpenLDAP is up and running, using TLS/SSL 
>>> certificate. SAMBA is also up and running - but it never connects to the 
>>> OpenLDAP server due to an connection error, but this shouldn't be the 
>>> subject here, I have more basic questions about what FreeBSD already has 
>>> and what to install additionally.
>>> 
>>> I want customers to log in on the FBSD box, so they sould log in 
>>> (authenticated via OpenLDAP), change their passwords and shells and those 
>>> user specifica should be updated on the LDAP server.
>>> 
>>> I already installed pam_ldap-port but ran into trouble because FreeBSD's 
>>> nss obviously does not have a tag 'ldap' to refere to an OpenLDAP server 
>>> (and not files).
>>> Well, I'm confused and not very firm with OpenLDAP/PAM/NSS stuff, 
>>> especially if SSL/TLS come into play and I would like to ask those herein 
>>> administering those setups, especially within a hybrid NFS/SAMBA 
>>> fileservicing environment, where to find up to date 
>>> informationes/howto/tipps.
>>> 
>>> Most websites and HowTo's I found were Linux related or, if related to 
>>> FreeBSD, outdated.
>>> 
>>> Sorry beeing so unspecific, but the problem is complex (to me) so I would 
>>> better ask for those who are willing to help or give hints and tips.
>>> 
>>> Thanks in advance and for your patience,
>>> Oliver
>>> 
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to 
>>> "freebsd-questions-unsubscribe at freebsd.org"
>>> 
>>> 
>>> 
>>> 
>>> 
>>>
>>> 
>>
>> 
>
>

l8*
 	-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
 	       http://www.spiritual-machines.org/

     "Guilty? Yeah. But he knows it. I mean, you're guilty.
     You just don't know it. So who's really in jail?"
     ~Maynard James Keenan

More information about the freebsd-questions mailing list